SAE: Use random "password" in extra hunting-and-pecking loops

If PWE is discovered before the minimum number of loops (k) is reached,
the extra iterations use a random "password" to further obfuscate the
cost of discovering PWE.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-06-26 11:44:22 +03:00
parent eb5fee0bf5
commit bbb50086e3

View file

@ -423,6 +423,8 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
u8 addrs[2 * ETH_ALEN];
const u8 *addr[2];
size_t len[2];
u8 dummy_password[32];
size_t dummy_password_len;
int pwd_seed_odd = 0;
u8 prime[SAE_MAX_ECC_PRIME_LEN];
size_t prime_len;
@ -430,6 +432,12 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
size_t bits;
int res;
dummy_password_len = password_len;
if (dummy_password_len > sizeof(dummy_password))
dummy_password_len = sizeof(dummy_password);
if (random_get_bytes(dummy_password, dummy_password_len) < 0)
return -1;
prime_len = sae->tmp->prime_len;
if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
prime_len) < 0)
@ -449,8 +457,9 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
/*
* H(salt, ikm) = HMAC-SHA256(salt, ikm)
* base = password
* pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC),
* password || counter)
* base || counter)
*/
sae_pwd_seed_key(addr1, addr2, addrs);
@ -490,6 +499,13 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
x = x_cand;
pwd_seed_odd = pwd_seed[SHA256_MAC_LEN - 1] & 0x01;
os_memset(pwd_seed, 0, sizeof(pwd_seed));
/*
* Use a dummy password for the following rounds, if
* any.
*/
addr[0] = dummy_password;
len[0] = dummy_password_len;
} else if (res > 0) {
crypto_bignum_deinit(x_cand, 1);
}